Skip to content

🐛 BUG: 1.10.3 unsafe route cannot work #1647

Closed
Closed
🐛 BUG: 1.10.3 unsafe route cannot work#1647
@daiwei-china

Description

@daiwei-china
daiwei-china
opened on Apr 3, 2026

What version of nebula are you using? (nebula -version)

1.10.3

What operating system are you using?

linux arm64 windows

Describe the Bug

router(linux arm64,opwrt ) has sign subnets in crt, pc (win10) has add unsafe route, pc can ping nebula's ip but cannot ping router's local lan ips.

Logs from affected hosts

```when pc ping 192.168.66.1 (can't success), in windows nebula log i can see

 level=info msg="Handshake message received" certName=DwOpwrt.ne certVersion=1 ******="180.****161" handshake="map[stage:2 style:ix_psk0]" initiatorIndex=** remoteIndex=** responderIndex=**sentCachedPackets=6 vpnAddrs="[10.10.16.8]"



### Config files from affected hosts

``` pc   yaml:
pki:
  ca: "D:/Nebula/ca.crt"
  cert: "D:/Nebula/1.crt"
  key: "D:/Nebula/1.key"

static_host_map:
     "10.10.16.1": ["106.******:61668"]

lighthouse:
  am_lighthouse: false
  dns:
      host: 10.10.16.1
      port: 53
  interval: 60
  hosts:
    - "10.10.16.1"

listen:
  host: "0.0.0.0"
  port: 0

punchy:  
  punch: true
  respond: true

cipher: aes

preferred_ranges: ["192.168.1.0/24"]

relay:
  relays:
    -10.10.16.1
  am_relay: false
  use_relays: false

tun:
  disabled: false
  dev: nebula1
  drop_local_broadcast: true
  drop_multicast: true
  tx_queue: 500
  mtu: 1300
  routes:
  unsafe_routes:
      - route: 192.168.66.0/24
        via: 10.10.16.8


logging:
  level: info
  format: text
  disable_timestamp: true


firewall:
  outbound_action: drop
  inbound_action: drop

  conntrack:
    tcp_timeout: 12m
    udp_timeout: 3m
    default_timeout: 10m
  outbound:
    - port: any
      proto: any
      host: any
  inbound:
    - port: any
      proto: any
      host: any
  

```router  yaml:
pki:
  ca: "/etc/nebula/ca.crt"
  cert: "/etc/nebula/1.crt"
  key: "/etc/nebula/1.key"

static_host_map:
     "10.10.16.1": ["106.******:61668"]

lighthouse:
  am_lighthouse: false 
  interval: 60
  hosts:
    - "10.10.16.1"

listen:
  host: "0.0.0.0"
  port: 0

punchy:  
  punch: true
  respond: true

cipher: aes

preferred_ranges: ["192.168.66.0/24"]

relay:
  relays:
    - 10.10.16.1
  am_relay: false
  use_relays: false

tun:
  disabled: false
  dev: nebula1
  drop_local_broadcast: false
  drop_multicast: false
  tx_queue: 500
  mtu: 1300
  routes:
  unsafe_routes:

logging:
  level: info
  format: text
  disable_timestamp: true

firewall:
  outbound_action: drop
  inbound_action: drop

  conntrack:
    tcp_timeout: 12m
    udp_timeout: 3m
    default_timeout: 10m
  outbound:
    - port: any
      proto: any
      host: any

  inbound:
    - port: any
      proto: any
      host: any

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions